Enterprise Risk Management: A Best 
Practice Approach 


Sebastian Francis and Bob Paladino 


hat do leading 

companies 

with robust, 
best practice—based 
enterprise risk man- 
agement (ERM) pro- 
grams know that could 
benefit your organiza- 
tion? What differenti- 


What do leading companies with robust, best 
practice—based enterprise risk management 
(ERM) programs know that could benefit your 
organization? This article, which draws on 
research with 17 leading private- and public- 
sector organizations, details ERM practices your 
organization can use to define, manage, and inte- 


ness, financial, and 
operational risks to 
meet organizational 


objectives; 
* identifying 
methodologies, 


tools, and best 
practices proven 
successful in 


ates their ERM 
programs from many 
other leading compa- 
nies? How do they define, 
manage, and integrate their ERM 
programs into their company 
operations? This article, based on 
extensive research with 17 lead- 
ing private and government sec- 
tor organizations for six months, 
reveals best practices in this rela- 
tively immature field of study. 
Most companies define risk 
narrowly as IT risk, Sarbanes- 
Oxley or audit risk, or com- 
modities risk, but only a hand- 
ful fully understand and 
incorporate a holistic definition 
of risk in their programs to cre- 
ate value in their companies. 
Have you considered supplier, 
customer, project management, 
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grate ERM programs. 


competitor, pricing, records 
management, security, and 
many other risks? 


INTRODUCTION 


In 2006, APQC’s Sebastian 
Francis and Angelica Wurth 
invited subject matter experts 
Bob Paladino and David Axson 
to commence a consortia study 
project to better understand and 
capture best practices in ERM 
programs. The study objectives 
included: 


e discovering how first-rate 
ERM programs enable the 
holistic management of busi- 
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enabling, manag- 
ing, and measur- 
ing ERM per- 
formance; and 

* examining ERM trends to 
identify threats and risks to 
your company. 


The team reviewed dozens 
of companies and identified 
five best practice partner com- 
panies (companies with inno- 
vative practices) to study. 
These included: Blue Cross 
Blue Shield of Florida, 
FirstEnergy, Fonterra Co- 
operative Group Ltd., Split 
Rock Energy, and the United 
Illuminating Company. Eight 
of the following twelve organi- 
zations sponsored the research 
project and participated in the 


20 


surveys for comparison 
purposes. 


¢ BT Group plc, 
¢ Embarq Corporation, 
¢ Federal Highway Adminis- 


tration, 

e National Financial Services 
Organization, 

« IBM, 

« KPMG, 

¢ Kuwait Petroleum Corpora- 
tion, 

¢ Petroleum Company of 
Trinidad and Tobago 
Limited, 


e Sprint Nextel Corporation, 
e Tennessee Valley 
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increased transparency and 
enable broad and deep 
employee usage. 


THREE PRIMARY BEST 
PRACTICES 


1. Risk management is part of 
the strategic and planning 
process. Organizations that 
embed risk management as 
part of strategy are able to 
have a seamless process to 
goal attainment. By reviewing 
the opportunities and threats 
of risk, organizations are bet- 
ter able to assess the probabil- 


Best Practice Finding 
Statement #1 


Risk management is part of 
the strategic and planning 
process. Organizations that 
embed risk management as part 
of strategy are able to have a 
seamless process to goal attain- 
ment. By reviewing the opportu- 
nities and threats of risk, organi- 
zations are better able to assess 
the probability of successfully 
achieving strategic objectives. 

Our survey of both sponsor 
and best practice partner organi- 
zations revealed the following 

distinguishing characteris- 


Authority, and 
¢ Washington Mutual, 
Inc. 


BEST PRACTICE 
SUMMARY FINDINGS 


Best practice organizations incorpo- 
rate ERM into their overall strategic 
and business planning processes, thus 
raising its importance and visibility 
in their organizations. 


tics of their ERM processes. 


Supporting Point 

Partner organizations 
report on the degree the 
ERM process is embedded 
in the strategic planning 
process as 40 percent fully 


This consortia study 
research has revealed that 
best practice enterprises view 
ERM as a strategic and highly 
regarded process, not an event. 
Best practice organizations 
incorporate ERM into their over- 
all strategic and business plan- 
ning processes, thus raising its 
importance and visibility in their 
organizations. This formalization 
underscores their commitment to 
ERM and recognition of its 
value in not only minimizing 
risk, but also maximizing inputs 
and visibility of ERM elements 
enterprisewide. Best practice 
management teams regularly use 
the ERM processes in the nor- 
mal course of their business 
operations. 

Best practice organizations 
invest more heavily in a range 
of tools and infrastructure than 
do sponsors to capture informa- 
tion, conduct risk analyses, and 
communicate results throughout 
their organizations. The ERM 
process tools also provide for 
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ity of successfully achieving 
strategic objectives. 

2. Mature ERM practices lever- 
age technology to automate 
data capture and report risk 
measures. Partner organiza- 
tions, leveraged a variety 
and number of enabling 
technologies for ERM. 
Mature ERM organizations 
built robust infrastructures to 
more effectively manage 
risk. 

3. ERM formal training is more 
rigorous at partner organiza- 
tions, enabling the under- 
standing of risk management 
at the individual level. 


The balance of this article 
expands these summary find- 
ings and provides detailed 
examples from selected best 
practice partner organizations. 
A complete set of findings is 
available in the final report 
from APQC. 


embedded and 60 percent 
somewhat embedded, compared 
to 62.5 percent in total for these 
same responses for sponsor 
organizations. See Exhibit 1 for 
details. 

Partner and sponsor ERM 
programs have similar defini- 
tions for the scope of their ERM 
processes, citing nearly the same 
coverage for including or 
addressing financial, operational, 
and strategic risks. 

There are minor discernible 
differences between partner and 
sponsor organizations for all 
three risks (see Exhibit 2). 


Supporting Point 

Best practice partner orga- 
nizations more frequently con- 
duct ERM process activities 
than sponsors do. Partner 
organizations mostly conduct 
activities weekly, monthly, and 
quarterly, while sponsors more 
likely do so biannually or 
annually (Exhibit 3). Sponsor 
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Exhibit 1 
— ERM and Strategy Process 


5. To what extent is risk assessment or ERM embedded in corporate strategic process? 
Fully 
embedded 
Somewhat 62.5% 
embedded 60.0% 
Not 
embedded 0 
Other includes: 
12.5% ae . 
Other, — — ° Just beginning to do risk 
please specify | assessments 
1 T T 
0% 25% 50% 75% 100% 
O Partner =5 @ Sponsor = 8 


Exhibit 2 
a. Scope of ERM Program 


6. What is the scope of you ERM (please refer to the glossary for risk-type definitions)? 
Please check all that apply. 


Financial 


Operational 


100% 


Strategic 


Other includes: 

Hazards 

Project probabilistic risk assessment 
“ 50% Legal, regulatory, liquidity/capital 
Other, please list Reputational 
60% Market 


Credit 
a a err. 
0% 25% 50% 75% 100% 


O Partner = 5 @ Sponsor = 8 
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ERM Activities 


8. Please indicate the frequency of each activity in operating an ERM methodology 
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organizations mostly conduct 
these key activities on an 
annual basis. 

At Blue Cross Blue Shield 
Florida (BCBSF), a strategic risk 
assessment is conducted in the 
fall of every year using a work- 
sheet tool. The strategic risk 
assessment consists of one-on- 
one discussions and independent 
assessments. The risk manage- 
ment department collates and 
assimilates the information. The 
office of the chief executive offi- 
cer (OCEO) validates this infor- 
mation and is responsible for 
strategy formulation. The list of 
strategic risks is used as an input 
into strategic planning. Once 
strategic planning is completed, 
it is communicated to the entire 
organization via closed circuit 
monitors and an internal elec- 
tronic newsletter. 

The BCBSF ERM program 
seeks to drive risk management 
to operational areas by “‘map- 
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ping” strategic risks to opera- 
tional planning through its plan 
and budget process. The con- 
trollership activity is managed 
ARC. When the organization 
analyzes risks, it seeks to under- 
stand how to change risk impact, 
and/or the likelihood, and/or 
identify opportunities associated 
with the risk. 

The identification, evalua- 
tion, and quantification of risk 
takes place at the operational 
level, resulting in a risk profile. 
A team consisting of risk owners 
at the operational level, internal 
audit, downstream departments, 
compliance, and privacy creates 
risk profiles. Risk owners are 
identified in the organization’s 
corporate risk policy that has 
been in effect since 2002. 

“Risk integrator” areas were 
established to integrate the ERM 
process into key functional 
areas. For example, one key 
functional area within the orga- 


nization is claims and customer 
service, consisting of 3,500 to 
4,000 employees, where claims 
are processed. This functional 
area has a team of four to five 
people focused on compliance 
claims—claims that have to 
abide by certain regulations. This 
small team welcomed the oppor- 
tunity to be strategic in enabling 
the overall claims and customer 
service department to achieve its 
objectives by leveraging ERM 
tools that were available on their 
own system. 

BCBSF sustains support for 
ERM by providing a two-sided 
view of risk. On one side, the 
downside of risk, ERM is widely 
accepted largely due to 
computer-based training that 
every employee must complete 
within 30 days of employment. 
Additionally, compliance issues 
such as Sarbanes-Oxley provide 
a clear understanding of manag- 
ing the downside of risk. On the 
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BlueCross BlueShield 
of Florida 


‘An Independent Licensee of the 
Bive Cross and Biue Shield Association 


Risk Governance 


Board of Directors 


| 


Audit Committee 


| 


Audit, Risk Management and Compliance Division 
(part of Legal and Business Assurance Group) 


| 


Risk Management Department 


"Thought leadership" 


Creation of program components 


Chair of Risk Council 
I 


Strategic Risk 


perational Risk 
Strategic Risk Oversight perational Risk Oversight 


Risk Council 


Internal Audit ct Compliance 


IT Risk Management — Legal 


Six Sigma = 
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Blue Cross Blue Shield Florida Risk Governance Model 


Functional 


Level 
Management 


Enterprise Risk 
Management 


other side, the upside of risk, the 
premise is reducing uncertainty 
and increasing the opportunity to 
succeed. 

BCBSF’s governance model 
reinforces its strategic focus by 
involving the board of directors, 
audit committee, and members 
of the senior leadership team, as 
shown in Exhibit 4. 

The board of directors 
(BoD), the audit committee, and 
the Audit, Risk Management, 
and Compliance Division pro- 
vide thought leadership where 
ERM is both a program and 
process. The process involves 
risk thinking and managing, and 
the program involves providing 
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the tools and consulting for the 
organization. 

Both strategic and opera- 
tional risks are the responsibility 
of the risk management depart- 
ment. The risk council adminis- 
ters both areas of risk manage- 
ment. The risk council enables 
the analysis of both strategic and 
operational risks, resulting in 
both top-down and bottom-up 
risk management. The risk coun- 
cil consists of director- and vice 
president—level resources. 

At Best Practice Study Part- 
ner FirstEnergy (FE), a decision 
was made to create a specific 
department solely focused on 
risk management. ERM and its 


risk control group focused on 
developing control processes and 
risk management systems at the 
new unregulated subsidiary. FE 
understands that risk is both a 
threat and an opportunity, Enter- 
prisewide Risk Manager Tom 
Marshall said. For example, 
when deregulation was taking 
place, the organization sought to 
mitigate risk by identifying other 
lines of business. In 2001, a 
chief risk officer (CRO) role was 
established and staffed. Also in 
2001, Bob Paladino, then vice 
president for Drs. Kaplan and 
Norton’s consulting division, 
partnered with FE’s Richard J. 
Horak, director of performance 
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Exhibit 5 
2 FirstEnergy’s Risk Identification Process and Results 


Risk Identification Process and Rest 


Risk Identification Process Risk Management Question a 
= Send risk management questionnaire 
to target audience 
— Bottoms up approach 
= Facilitate meeting with business unit 
management to compose “Risk Exposure Map” 
= Complete Risk Action Plan 
— Measure risk, understand correlation 
— Develop strategy 
— Appoint an owner 
= Survey senior management — top down approach 


Human Resources Risk Exposure Map ? Senior Management Survey Results 
Mustrative ? Management & Monitoring 
: Frequency 
of responses a 
-; 
en 
—— ay 
Illustrative ae 
ase 
Risk Description Risk Management Strategy | Risk Owner =a: 
Ea 
Sy 
ce Be 
FirstEnergy Slcestial ee Enterprise-wide Risk Management oa 
planning, and his team to design aa 
and roll out the balanced score- { Exhibit 6 - ; 
card at FE. Paladino recalls, a, FirstEnergy’s ERM Program 
“The leadership team was 
focused on integrating strategic All risk is not created equal 


and operational objectives and 
risk factors into balanced score- 
cards so they could be proac- 
tively managed.” FE’s ERM is 
clearly linked to the organiza- 
tion’s integrated business plan- 
ning (IBP) process, which — 


includes strategic planning, 


fi , Financial Performance Risk 
budgeting, and forecasting. The Ls 
IBP was based on Norton and ee 
perationa 1s 

Kaplan’s balanced scorecard 
approach, with a focus on identi- y 

5 . a Compliance and Financial Reporting Risk 
fying and achieving goals and Good Rules 


objectives from financial, cus- 
tomer, internal process, people, FrlEnry/s Eerie ek Manager 
and technology perspectives. 


Good Decisions 


Program 48 
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Exhibit 7 


— Ul’s Organizational Chart and Process Model 


Vice President 
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Technology & Vice President 
Chief Electric System 
Information 
Officer 
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Human 
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Ul's Process Model sacu«x 
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Direction 
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Transmission 
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Programs REVENGE 


Protect and 
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Financial 
Integrity 


e 
Or THE UNITED ILLUMINATING COMPANY 


President and 
Chief Operating 
Officer 
A. J. Vallillo 


Senior Executive 
Administrative 
Assistant 


Vice President 
Finance & Chie 
Financial 
Officer 


Vice President 
Corporate 
Affairs 


Associate Vice 
President, 
Strategic 
Business 
Services 
E. J. Drew Jr. 


Associate 
President, 


Services 


Attract and 
Engage the 
Workforce 


The risk assessment process, 
based on the Committee of 
Sponsoring Organizations of the 
Treadway Commission’s 
(COSO’s) ERM framework, is 
built into the annual IBP 
process. A key question that the 
organization employs in this 
effort is, “What risks may pre- 
vent the achievement of goals 
and objectives?” 

The IBP department, the 
business units, and the ERM 
group collaborate to facilitate 
the annual IBP process to ensure 
that appropriate risk manage- 
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ment strategies are addressed 
and budgeted. Risk identifica- 
tion and management strategies 
are communicated to senior 
management for strategy devel- 
opment meetings. 

The ERM process involves 
sending a questionnaire to each 
business unit. Once the question- 
naire is returned, responses are 
analyzed. The ERM group then 
meets with each business unit, 
with the objective of achieving a 
better understanding of their 
identified risks. Then the ERM 
group measures the likelihood 


and severity of risks and creates 
a risk exposure map. The risk 
exposure map is shared with the 
business unit so that it can 
understand where risk resides 
relative to severity and likeli- 
hood. Exhibit 5 shows the risk 
identification process, risk man- 
agement questionnaire questions, 
risk exposure map, and survey 
results. 

This exercise enables both 
the ERM and business unit 
groups to have a better under- 
standing of what the major risks 
may be, enabling better manage- 
ment of major risks. Both groups 
understand that quantifying risks 
may not be an exact science, but 
when analyzing a group of risks 
it becomes clear which risks may 
be greater, relative to each other. 

The ERM group has a rela- 
tionship with internal auditing 
(IAD) that enables the sharing 
and exchange of information. 
The groups meet every other 
month and prior to embarking on 
their own planning process. [AD 
has the responsibility of prevent- 
ing and detecting fraud. 

The ERM group is more 
focused on higher-level risks 
that have to do with successfully 
executing strategy. Exhibit 6 
shows FE’s risk roles and 
responsibilities. 

The CRO’s responsibilities 
include: 


* assisting the CEO, audit 
committee, and risk policy 
committee with their risk 
oversight responsibilities; 

* acting as a catalyst to cause 
ongoing, honest discussion 
of risk and communication 
of risk throughout the 
organization; 

* serving as a member of 
many steering committees; 
and 

* maintaining a systematic 
risk assessment approach 
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Exhibit 9 
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Ul’s Integrated Strategic Planning and Risk 
Management Process 
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Strategic & Budgeting | | 
Other 
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Plan 
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Performance 
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External 
Perspectives 
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Perspectives 


Strategic, Tactical, 
Risk Mgt. & BCP 


Budget / Risk Goals / Strategies 
Monitoring & Projects / Budgets 
Control 


Plans 


throughout the organization 
and providing the risk policy 
committee (RPC) with early 
visibility on risk issues. 


The ERM group is responsi- 
ble for developing and maintain- 
ing a consistent risk assessment 
process to be used throughout 


the organization, assisting and 
facilitating the business units in 
the identification of critical risks 
that could have a material 
impact on the business unit’s 
operating results. Consolidation 
of the market, event, opera- 
tional, and strategic risk mea- 
sures into corporate risk metrics 


Inputs 


*Objectives 
Uncertainty 
*Overall Risk parameters 
*Past threats and opportunities 
-Current Risk preparedness 
*Lessons Learned 


| Process Flow 


Ul’s “Manage Risk” Process 


Plan Risk 
Response 
Strategy 


Monitor and 
Control 
Risk 


Desired Outputs 


-Reasonable Assurance of Success 
Clear Risk policies 
-Comprehensive risk assessments 
*Appropriate Risk Response Plans 


Actionable Contingencies 
+Vigilant Risk monitoring and Control 
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is reported to senior manage- 
ment on a regular basis. Key 
performance indicators (KPIs) 
are developed to support mitiga- 
tion strategies and are tied to 
compensation. The group also 
performs risk assessments on 
large projects and investment 
decisions to give senior manage- 
ment better tools for decision 
making. 

Additionally, the group is 
responsible for: 


* reporting risk issues to the 
RPC, including a summary 
of critical risks identified 
by the business units dur- 
ing their annual risk 
assessments; 

* providing leadership and 
assistance in facilitating the 
business unit’s development, 
approval, and subsequent 
revision of all appropriate 
risk management policies, 
procedures, and limits; 

* monitoring compliance of 
the business units with the 
corporate risk management 
policy and policies devel- 
oped and managed to control 
their risks (daily risk report 
and limit violations); 

* working with the business 
units to assist the organiza- 
tion in complying with gen- 
erally accepted accounting 
principles for all derivative 
instruments and hedging 
activities (FAS 133 
activities); 

¢ working with FE’s risk con- 
trol to ensure that commod- 
ity price and volume risk are 
identified, monitored, man- 
aged, and reported in a 
timely manner; and 

* participating in various task 
forces and subcommittees 
(business continuity 
planning/pandemic, cyber 
security, price forecasts, etc.). 
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At United Illuminating (UI), 
the company employs a continu- 
ous strategic planning process to 
achieve strategic objectives. 
While these objectives are typi- 


ERM Data Capture and Reporting 


cally long-term, progress is 


14, Please indicate if you have automated the capture and/or reporting of risk metrics. 


assessed and measured continu- 


0, 
100% - 100% 


100% 


ously to reflect gaps overcome 
and remaining, lessons learned, 
and changing business demands. 
These objectives reflect four 
strategic areas: financial objec- 
tives, customer objectives, oper- 
ational objectives, and capability 
objectives. Projects to achieve 
these objectives are also defined 
through the strategic planning 
process, which includes risk 
identification and analysis. 
Annual goals are captured with a 
balanced scorecard and the bal- 
anced scorecard of divisional 
and subdivisional goals, provid- 
ing cohesion across the organi- 
zation. Bob Paladino comments, 
“UI’s comprehensive approach to 


80% 


75% + 


50% + 


25% | 20% 


0% 


0% 


60% 


40% 


0% 


Yes No 


Automated capture 
of risk metrics 


Yes No 


Automated reporting 
of risk metrics 


OPartner = 5 mg Sponsor = 8 


and measurement with ERM 
improves transparency and 
enables managers at all levels to 
participate in managing this vital 


While maintaining a tradi- 
tional organization structure 
based upon functions (vertical 
view), UI has made the transition 


integrating strategic planning process.” to process-based management 
Exhibit 11 
oe. ERM Technology 


17. Which of the following best describes the technology used to perform ERM? Select all 
that apply. 


88% 
60% 


0% 
ee) 60% 


Document retrieval 0% 
and storage application | 0% 


Standard office application 
(Excel, Word, Visio) 


ERM application 


0% 


ERP Module 0% 


Process mapping |0% 


software [20% 


Reporting/ |0% 
analysis tool [0% 


Internally developed |0% 


application ean] 40°, 
sass — 25% 
Other, please specify: 40% 
0% 25% 50% 75% 100% 
| OPartner =5 @ Sponsor = 8 
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Risk Aggregation 


20. Are you able to aggregate the risk metric data gathering and reporting across business 


units or geographies? 


No 


0% 


Yes 


100% 
+ T T T 


0% 25% 


50% 


75% 100% 


| O Partner =5 


@ Sponsor = 8 


(horizontal or cross-functional 
view), aS Shown in Exhibit 7. The 
process view of the organization 
reflects what they do as a busi- 
ness, their core processes, and 
the enabling and governing 
processes necessary to be suc- 
cessful. As an indicator of the 
value they place on ERM, “man- 
age risk” is one of their enabling 
processes. Looking at risk from a 
process perspective offers advan- 
tages over a strict functional 
view. For instance, in addressing 
a risk with a functional boundary, 
the risk may be transferred to 
another part of the organization, 
with an overall negative impact 
on the process. The end-to-end 
perspective of a process is more 
holistic and allows more effective 
ERM. 

Historically, UI managed 
risk on a case-by-case or project- 
by-project basis. They did a rea- 
sonable job, given their strong 
project management discipline 
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based upon the Project Manage- 
ment Institute’s (PMI) Project 
Management Body of Knowl- 
edge (PMBOK). PMBOK 
includes several key risk-man- 
agement components to enhance 
the success of projects. 

In 2002, the audit committee 
of the UI board of directors spon- 
sored an effort to assess risk con- 
cerns with several UI subsidiaries. 
The centerpiece of the program 
was an enterprisewide risk assess- 
ment (ERA) survey that resulted 
in several risk response strategies. 
UI’s internal audit took over man- 
agement of the ERA in 2003, and 
by the end of that year, two recur- 
rent findings highlighted the need 
for change: 


e Risk identification and risk 
management across all oper- 
ations was still not occur- 
ring. 

¢ ERM was not being driven 
by the strategy-setting 


process; therefore, risks were 
not always addressed in 
alignment with objectives 
and strategies of the business. 


The solution was to assign 
ERM responsibilities to strategic 
business services (SBS), the 
organizational unit responsible 
for the strategic planning process 
at UI. This allowed UI to inte- 
grate ERM with strategic plan- 
ning, process improvement, and 
project management—core prac- 
tice areas of SBS—and to lever- 
age process improvement and 
project management as risk man- 
agement tools. This effort 
resulted in an integrated strategic 
planning and risk management 
process (see Exhibit 8). Senior 
leaders meet monthly to go 
through this process, evaluating 
strategic projects to ensure that 
risks are understood, priorities 
are established, and budgets and 
resources are in place. 
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Through each cycle in this 
process, the SBS organization 
makes improvements, including 
timeliness of deliverables, depth 
of information, measures of 
effectiveness, and better integra- 
tion. This is continuous improve- 
ment in action. SBS also 
receives and utilizes the inde- 
pendent review provided by UI’s 
internal audit, as well as the 
input and feedback of UI’s audit 
committee, to ensure the 
integrity and thoroughness of the 
effort. 

SBS also prepares two major 
reports each year: in October to 
evaluate yearly results and set 
the goals for the next year and in 
May as a major status check- 
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point. These reports contain 
qualitative data about identified 
risks and their associated strate- 
gies. It also includes considera- 
tion for regulatory (both state 
and federal), tax, legal, and 
industry changes that impact 
business. 

In 2004, the ERA was inte- 
grated into UI’s “establish strate- 
gic direction” process. While 
this incorporated key risk activi- 
ties into planning, it did not 
address a comprehensive 
approach to risk management. To 
resolve this, “manage risk” was 
made one of UI’s nine Level 1 
processes in 2005. 

Defining risk as one of UI’s 
nine business processes allowed 


the organization to focus on how 
risk is integrated with each of its 
other processes. It also ensured 
that UI evaluates how risk 
affects stakeholder value, rather 
than just as an internal measure. 
Bob Paladino notes, “UI is one 
of the few organizations to effec- 
tively define, roll out, and imple- 
ment a process-based organiza- 
tion that incorporates the best of 
CPM practices throughout.” 
Using a blend of COSO and 
PMBOK principles, UI estab- 
lished their “manage risk” 
process as shown in Exhibit 9. 
This process has become the 
foundation for all UI’s risk activ- 
ities, from strategic planning 
down to individual projects. The 
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Whatis Enterprise Risk Management 
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External Risk Presentations 
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ICP&LRiskPolicy April0S pdf CONFIDENTIAL AND PROPRIETARY FirstEnergy Corp. Jersey Central 08/08/2006 


quantiftying their impact on financial w) Penelec-Meted Commodity Risk 
Management Policy 6.15.06.doc 


®) FES Commodity Portfolio Risk 
Management Policy .doc 


Click here to view all documents. 
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23-05.ppt ERM.ppt FirstEneray's Enterprise Risk Management Framework 
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Affected KPIs: FES Gross Margin Communication and Monitoring: Daily 06/06/2006 
Risk Report Operating Reports Consequence: Increase in the market 
prices of energy, capacity, transmission, natural gas 

Description Posted 

It is well known that the weighted average cost of capital for corporate 03/02/2005 


subdivisions or individual projects is likely to be different from the cost of 
capital for the consolidated 
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objective of this process is not to 
eliminate all risks, but rather to 
manage them effectively. Risks 
can be either negative or posi- 
tive, threats or opportunities. An 
opportunity not pursued can be a 
risk. 

Central to this process is the 
concept that every manager is a 
risk manager. The expectation is 
that each manager within UI 
will: 
¢ be an expert regarding the 

risk events, likelihoods, 

impacts, and preparations 
required; 

e align the resources of the 
organization to continuously 
monitor and protect; and 
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¢ apply the discipline of a 
well-defined “manage risk” 
process structure to provide 
reasonable assurance that UI 
can meet its objectives in his 
particular sphere of respon- 


Best Practice Finding 
Statement #2 


Mature ERM practices lever- 
age technology to automate data 
capture and report risk measures. 


sibility. 


Although risk management 
was not new to UI, it had not 
been standardized or applied at 
all levels. These were activities 
that were already being man- 
aged, albeit somewhat indepen- 
dently and without common 
language or process. The first- 
phase rollout of “manage risk” 
was targeted to these special risk 
areas. 


Partner organizations leveraged a 
variety and number of enabling 
technologies for ERM. 


Supporting Point 

Partners and sponsors differ 
significantly in the use of auto- 
mated data capture and reporting 
of risk measures (see Exhibit 10). 


¢ 100 percent of sponsors nei- 


ther automate data capture 
nor automate reporting. 
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* 80 percent of partners auto- 
mate capture, and 60 percent 
automate reporting of risk 
measures. 


Supporting Point 
Partners are more likely to 

deploy a variety of software appli- 
cations to perform ERM; sponsors 
almost universally use Microsoft 
Office only (Exhibit 11). Sponsors 
are more likely to use multiple MS 
Office and non-MS Office tools. 


Supporting Point 

One hundred percent of 
partners aggregate risk metric 
data across the organization, and 
38 percent of sponsors do 
(Exhibit 12). 
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At FE, the ERM group lever- 
ages an Excel add-on tool, 
@Risk. The tool enables statisti- 
cal analysis of data. Monte Carlo 
simulations and decision trees are 
done with @Risk. Midas enables 
modeling of statistical variability 
and Monte Carlo simulations. 
Zai*Net is used by FE’s unregu- 
lated subsidiary as a modeling 
tool. SAP “houses” the organiza- 
tion’s financial/budget system 
and enables the development of 
budgets and forecasted earnings. 

Below is a list of the tools 
that FE uses to measure and 
report risk: 


e ERM’s intranet site, 
¢ workforce development tool, 


* capital allocation: risk mea- 
surement tool, 

e decision tree analysis (see 
Exhibit 13 for an example), 

¢ Monte Carlo simulation, and 

* quarterly risk report. 


Exhibit 14 shows a snapshot 
of ERM’s intranet site. The site 
is general in nature, providing a 
definition of enterprise risk. 
The ERM intranet consists of 
secure and public sites; the pub- 
lic site is open to all 13,300 FE 
employees. To access the secure 
site, a login authentication must 
be done. The top 30 executives 
of the organization have access 
to strategic information and 
reports on the secure site. 
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Exhibit 16 
— FirstEnergy’s Risk Reports and Tools 


Appendix - Other Risk Reports and 


Risk Reports and Tools 
Corporate Risk Policies 


| Forecast and Risk Report 
| 


Frequency 
Annually 


| As needed 


FE Range of Risks 


Monthly 


Annual Report, 10K and 10Q 
Survey Risk Definitions 
| Wholesale / Retail Credit Watch List | 


Semi-Annually 


Weekly/Monthly 7 


See 
Appendix 


‘Liquidity Impact Report 
| Credit Cash Flow at Risk Report 
| Risk Report and Sensitivity Analysis 
FES Range of Power Margin Risks 
| FAS-133 
Capital Analysis Risk Tool 
ECO Technology Risk Matrix 


Monthly 
Monthly 
Daily/Weekly 
Monthly 


Semi-monthly 


As needed 


; As needed 


BV Steam Generator Risk Matrix 


| As needed 
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Program 


The workforce development 
tool provides an example of how 
the ERM group was able to help 


Exhibit 17 


assess a particular risk around 
the aging workforce. Workforce 
demographics kept showing up 


on the senior management risk 
survey. The ERM group met 
with the human resources group 
to quantify the aging workforce 
risk in order to better understand 
its impact. 

No clear risk owner was 
identified, so a query to SAP was 
created to provide specific types 
of information on all 13,300 FE 
employees. This data was 
exported to Excel, where pivot 
tables were created to enable 
more effective data analysis. The 
tool provided information based 
on location such as state, busi- 
ness unit, title, or age. With the 
ability to filter this information, 
the business units were able to 
create succession plans, intern- 
ship programs, college recruiting 
initiatives, mentorships, and so 
on. This tool effectively manages 
the aging workforce risk, where 
25 percent of FE’s employees 


_/ 


15. What percentage of employees at your organization is provided with ERM formal training? 


0 - 25% 


26 - 50% 


51-75% 


75 - 100% 


25% 


ERM Formal Training 


50% 


60% 


100% 


75% 100% 


O Partner =5 


@ Sponsor = 8 
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were eligible to retire in 2006 
and 75 percent will be eligible in 
the next 10 years. 

The capital allocation tool 
enables FE to analyze projects 
and opportunities to ensure that 
valuable opportunities have not 
been missed. This tool provides 
stakeholders with information to 
make better decisions and 
enables better prioritization. The 
group creates a risk matrix plot- 
ting the opportunity or project 
ratings. Exhibit 15 shows a sam- 
ple matrix with potential projects 
plotted. Values, whether tangible 
(dollar values) or intangible (i.e., 
increased customer satisfaction), 
are estimated and assigned to 
these potential projects. The tool 
enables better decision making, 
such as deciding to spend 
$20,000 to prevent a million- 
dollar exposure. 

One possible use of the tool 
that may be developed in the 
future is reviewing a specific 
project where a value of six may 
exist in both the X and Y axes; if 
you multiply both values of six, 
the result would be 36. If the 
capital budget for the project 
were $36 million, the group 
would be able to assign a mil- 


lion-dollar cost per point. This 
could be analyzed against other 
projects that perhaps had lower 
or higher cost per point and 
would provide another method to 
rank projects to allocate capital. 

Exhibit 16 lists other reports 
and tools FE employs in its 
ERM efforts. 


Best Practice Finding 
Statement #3 


ERM formal training is con- 
ducted with more rigor at partner 
organizations enabling the 
understanding of risk manage- 
ment at the individual level. 


Supporting Point 

Partners more heavily pene- 
trate the employee base with 
ERM formal training than do 
sponsors. 


¢ 100 percent of sponsors train 
0 to 25 percent of the 
employee base, and partners 
train 60 percent. 

e 40 percent of partners 
exceed this threshold and 
train between 26 and 75 per- 
cent of the employee base 
(see Exhibit 17). 
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SUMMARY 


In closing, this consortia 
research has revealed that best 
practice enterprises view ERM 
as a strategic and highly 
regarded process, not an event. 
Best practice organizations 
incorporate ERM into their 
overall strategic and business 
planning processes, thus raising 
its importance and visibility in 
the organization. This formaliza- 
tion underscores their commit- 
ment to ERM and recognition of 
its value in not only minimizing 
risk, but also maximizing inputs 
and visibility of ERM elements 
enterprisewide. Best practice 
management teams regularly use 
the ERM processes in the nor- 
mal course of their business 
operations. 

Best practice organizations 
invest more heavily in a range 
of tools and infrastructure than 
do sponsors to capture informa- 
tion, conduct risk analyses, and 
communicate results to their 
organizations. The ERM 
process tools also provide for 
increased transparency and 
enabling of broad and deep 
employee usage. 


Sebastian Francis is a knowledge management adviser and the financial management program manager 
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services for rapidly implementing and integrating proven methodologies to drive breakthrough results. 
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